Improve removal of storage-encryption-secret finalizer #604
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When we create the
storage-encryption-key
secret , we add a finalizer. Since this finalizer would block the deletion of the whole namespace if it wasn't removed, we always try to remove that finalizer, even if theenableRandomStorageEncryptionSecretFlg
is currently set tofalse
. We do this because it might have been set totrue
in the past, which would mean there might be existing secrets with finalizers which would, again, block the removal of the namespace.Now the problem is that we do not take a closer look at the
err
when fetching the secret to remove it's finalizer. If the secret is not found, there is no corresponding finalizer and we could continue the removal of the namespace without error. But since we don't check for the actual error content, we show an error message when deleting any postgres database that does not have thatstorage-encryption-key
(since we cannot fetch the non-existent secret to remove the non-existent finalizer).To solve this, we simply check for IsNotFound and carry on.